-
Suggestion
-
Resolution: Unresolved
-
9
-
Problem
An agent can add a customer to the project from UI with only Service Desk Team role and creating customer account for that user at User Management is handled by the application. But in the case of API, the permission needed is Jira Administrator Global permission to create the customer and Service desk administrator permission to add the customer to a service desk project.
The Jira Service Desk Cloud REST API - Create Customer
The Jira Service Desk Cloud REST API - Add Customer
Why This Is Important
Giving Global level permission to create a portal-only customer (which is essentially adding a customer to the project) is not appropriate. Creating a portal only customer should require only Service desk administrator permission or adding the customer to the project through API should handle the create customer part.
- mentioned in
-
Page Failed to load
[JSDCLOUD-9396] Create Customer API should require only Service desk administrator permission and not Jira Administrator Global permission
Hi folks,
we try to use a admin in User-Access-role, which seems to be especially designed to create users and customers.
It is nice because a user in User-access-role only, do not require a user license. The user in user-access-role can exatly do what it is designed for; the user can create customers and users.
But:
this user able to do it in the UI only. Why the hell, the REST-API did not offer the just the same feature set? To use the same user with REST API you have to put him into the global permission role. Nonsense.
Waiting more than 3 years for something that should have been done from the very beginning is just shitty.
This is not the only ticket I have been waiting for several years... I repeat... several years.
I guess it will be done when I retire.
Atlassian is the typical business that believes it's god but in fact customers just do not want to migrate because it's a huge headache. When the time comes and Atlassian will loose customers I will laugh and say I told ya
Makes no sense. I can create the organization for the user without Jira Admin permissions, but i cannot create the users that goes into the orgs.
When can we expect this to be changed?
Echoing this one - the fact that you can create an account via email with no permissions whatsoever, yet need a full Admin permissions scope to do the same thing via an API, is really inconsistent and just waiting for exploitation.
Onboarding friction is an important part of any customer experience, so automatic creation of accounts is a really key usability point - but right now my onboarder requires the capability to nuke our entire Jira instance to hit this requirement. Fix it!
How can this wrong role requirement of the API be dealt with as a Suggestion instead of a bug by Atlassian?
The Jira Service Desk API is inconsistent with the Jira Service Desk Web user interface in terms of who can create Customer (portal-only) accounts.
This doesn't make any sense!
We are trying to improve/automate our "onboarding" process and this totally block us from doing so. It's a pity that this is not implemented (or will be any time soon).
Giving "admin" permissions to an "API user" that only needs to add users to a project is unacceptable and we are not willing to worry about our Atlassian account security just because of this.
This is a big security concern.
You should be able to create a net new Portal Only customer with displayName in a specific Jira Service Desk project via one API call without Global Admin permissions (and you should be able to create them in the UI with displayName too... where you can currently only create them with only an email address... but if we can at least mimic that email-only creation via API, it would be better than now).
Currently, you need to have Global Admin permissions and need to hit three endpoints (because if you try to create someone that already exists you just get a failure and no accountId)... one to search to see if the user exists (best to use the Jira Platform endpoint): https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-user-search/#api-rest-api-3-user-search-get (you could skip this and use error handling on the next call if you want).... then if no user exists create via this endpoint: https://developer.atlassian.com/cloud/jira/service-desk/rest/api-group-customer/#api-rest-servicedeskapi-customer-post ... then make sure they are added to your project if it is not a login free project open to anyone: https://developer.atlassian.com/cloud/jira/service-desk/rest/api-group-servicedesk/#api-rest-servicedeskapi-servicedesk-servicedeskid-customer-post
You really should only need to hit the add endpoint (last one) to do all three of those things in one call.
This other issue touches on that error at the create endpoint that makes this too complex (and that endpoint requires too high of a permission level as stated above in the description): https://jira.atlassian.com/browse/JSDCLOUD-9007
I recommend allowing us to provide an emailAddress and displayName to https://developer.atlassian.com/cloud/jira/service-desk/rest/api-group-servicedesk/#api-rest-servicedeskapi-servicedesk-servicedeskid-customer-post and if no email address is found, it creates the portalOnly customer at the instance level like the create endpoint does... if the email is already found, then it just returns 204 like today when it hits a match on accountId.
Agreed. If a user can create a customer via the user interface, they should also be able to do so via the API.
The only reason not to implement a requested feature is that no one is using it, which leads to the conclusion, did anyone use the RESTAPI in real life at all?
Weird...